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Information Commissioner’s Office 


ICO Information Request Handling Procedures 
1. Introduction 


It is important to remember that the Information Commissioners 
Office (ICO) is subject to all the legislation it regulates. All requests 
for information to the ICO need to be handled in accordance with 
the Freedom of Information Act 2000 (FOIA), Data Protection Act 
1998 (DPA) and the Environmental Information Regulations (EIR). 


The Information Governance Department (IGD) is responsible for 
acknowledging requests for information, collating the information 
requested and responding to all requests received by ICO unless 
they can be dealt with as a normal day to day enquiry. There is 
separate guidance about what should be dealt with as a normal 
course of business enquiry which also covers what staff should do 
should they receive an information request. 


The IGD is also responsible for acknowledging and coordinating 
responses to internal review requests under FOIA and EIR. These 
procedures set out the processes that the ICD follow when dealing 
with an information request or request for internal review. 


2. Requests for information contained in the I CO 
publication scheme 


Requests for information which form part of the ICO’s publication 
scheme compliance should be dealt with as a normal course of 
business enquiry and therefore should not need to be dealt with by 
IGD. Any such request should be passed to the First Contact Team 
to deal with. 


All staff should also be familiar with the information available via 
our publication scheme. Our guidance on information reasonably 
accessible to the applicant by other means states that “It will 
generally be fair to assume that any information described within a 
publication scheme and made available under it is reasonably 
accessible to an applicant and that all the public authority needs to 
do, therefore, is to draw the applicant’s attention to the scheme.” 
The response to such requests should be issued as soon as possible 
and certainly within the statutory time limits. 
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3. Types of Requests submitted to the I CO 


There are four different types of other request that the ICO might 
receive, aside from those which should be dealt with as enquiries in 
the normal course of business. It is important that the legislation 
under which a request is made is identified from the outset, as each 
will be dealt with slightly differently. The requests may be any of 
the following: 


Requests for information made under FOIA. 

Requests for personal data made under the DPA. 

Requests for environmental information made under the EIR. 
Request from complainants for information held on their case 
files which are primarily dealt with under DPA, with other 
information on the case file falling outside the DPA being 
considered under FOIA or EIR depending on the nature of the 
complaint (hybrid requests). 


All requests under FOIA and DPA should be made in writing. Verbal 
requests are valid under EIR although a written record should be 
made of any verbal request. 


The ICO has a duty to comply with the DDA (Disability 
Discrimination Act). Individuals requiring assistance in submitting 
requests are dealt with in accordance with the |CO’s reasonable 
adjustments policy available on ICON. Where a verbal request is 
taken over the telephone the written note of the telephone request 
is sent to the applicant and once verified and returned by the 
applicant, would constitute a written and therefore valid request for 
information. The statutory time limit for response would begin 
when the written confirmation from the individual was received. 


4. Receiving and acknowledging a request 


The IGD receives requests through a number of different routes: 

e Directly from individuals into the IGD mail in-box or direct 
letter/fax addressed to the department 

e Communications which are referred by First Contact to the 
1GD’s CMEH queue 

e Requests embedded in cases which are referred either to the 
IGD in-box or to the |GD’s CMEH queue as a provide advice 
item 


Requests will be referred to the IGD either by First Contact, via the 
IGD in-box, or by Case Officers when the request is embedded in an 
existing case. 
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All requests for information to be dealt with by IGD will be logged 
on CMEH as cases and given a reference number that has the prefix 
IRQ. For confidentiality reasons, we may process some requests 
outside CMEH for example where the request has been made by 
member of staff. A manual file will be created by IGD and a note 
added to CMEH confirming the location of the manual file. There is 
a separate set of procedures on how to administer an IRQ on CMEH 
‘Information Requests - CMEH Procedures’. 


The request case will be set up and an acknowledgement letter sent 
to the requester within two days. The letter will clearly state the 
date by which the requester can expect a response. The case is 
then added to the IGD queue. 


5. Establishing whether it is a valid request 


The first stage once a request has been received is establishing 
whether it is a valid request: 
e is it in writing? 
e does it contain the name and an address for correspondence? 
e has the requester used a pseudonym? 
e does it describe the information being requested? 


Where a request has been made via Twitter it may well be a valid 
request in line with section 8(1) of FOIA if the requester has 
provided their name and a valid address. Where possible a 
response to the requester should be sent for example by providing 
a web link. If the name or address is not provided it is not a valid 
request, therefore if information is not being provided a reply 
should be sent advising the requester of this, and asking for the 
required information. 


6. Seeking Clarification 


At the stage of acknowledgement, we may need to ask for proof of 
ID or authorisation (where dealing with a SAR on behalf of another 
individual), or any other clarification. Where the request is not 
clear, can be read in more than one way or we haven’t got enough 
information needed to locate and retrieve the information being 
requested, clarification should be sought from the requester rather 
than try and interpret the scope of the request. 


Advice and assistance must be provided to the applicant to enable 
him or her to describe more clearly the information requested. The 
aim of providing advice and assistance is to clarify the nature of the 
information sought, not to determine the aims or motivation of the 
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requester. Care should be taken not to give the applicant the 
impression that he or she is obliged to disclose the nature of his or 
her interest. It is important that the applicant is contacted as soon 
as possible, preferably by telephone or e-mail, where more 
information is needed to clarify what is sought. 


The case is closed in the acknowledging team member’s name 
pending the receipt of the requested clarification. Once the 
clarification is received, the case is then reopened, acknowledged 
and referred back to the IGD queue for processing in the normal 
way. 


7. Requests which can be responded to immediately 


Alternatively the request may be for information which, although 
not included in the publication scheme, can be provided 
immediately, or is for information which is not held by the ICO. 


In either of these circumstances the response can be sent 
immediately, and the case closed. Where the information is not 
held it may be appropriate to explain why and, if the request is 
misguided, to provide advice and assistance suggesting where the 
information may be held. 


Advice should be sought by members of staff outside the IGD 
regarding requests that can be responded to as normal course of 
business. Such requests should be responded to promptly and 
certainly within the statutory 20 working days. 


8. Transferring the Request 


If, after seeking clarification, there is reason to believe that some or 
all of the information requested is not held by ICO but it is held by 
another public authority, consideration must be given as to what 
would be the most helpful way of assisting the requester with his or 
her request. 


In most cases this is likely to involve contacting the requester and 
informing him or her that the information requested may be held by 
another public authority, or suggesting that the applicant re-applies 
to the authority which the original authority believes may hold the 
information and providing him or her with contact details for that 
authority. 


9. Gathering and collating the information 
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Having interpreted the request searches should be carried out as 
appropriate on CMEH, ICON, Meridio and the website to establish 
what information is held in an accessible area of the network. The 
disclosure log and previous responses should also be consulted 
when gathering information, although due to the time elapsed since 
the response accuracy may be an issue. 


The request handler then identifies the possible department/s which 
may hold any additional information. The department is added on 
the CMEH party list as “request consultant” and an e-mail should be 
sent to the request consultant as soon as possible to allow them a 
reasonable time to respond. 


The communication with the consultant should: 


e Clearly specify the information requested. You can either 
provide a summary of the request or the actual wording of the 
request 

e Enquire whether information which falls within the scope of 
the request is held by the department 

e Specify a date by which a response should be provided to IGD 
(usually at least one week before the request is due) 

e Ask for any views that the Department may have on 
disclosing the information 

e Ask for any additional information which might put the 
information being requested into context and provide 
additional assistance to the requester. 


It some cases it may be necessary to send an ‘all staff’ email to ask 
staff to check their computers and manual files for information 
covered by the scope of the request. 


10. Cost 


If the information is held, estimate whether the cost of complying 
with the request exceeds the ‘appropriate limit’ as set out in the 
Freedom of Information and Data Protection (Appropriate Limit and 
Fees) Regulations 2004 (Fees Regulations). 


You may only consider the following factors when estimating the 
cost. 

- Determining whether the information is held 

- Locating the information or documents containing the information 
- Retrieving the information 

- Extracting the information from documents 
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Under section 12(2) of FOIA, if you estimate that the cost of 
complying with the request would exceed the appropriate limit, you 
do not have to comply. However, you must provide advice and 
assistance to the applicant to enable them to reformulate their 
request, and try to bring it within the cost limit, advising them that 
this will be treated as a new request. 


11. Consultation 


If the information requested includes correspondence or information 
provided by a third party (for example a data controller, public 
authority or any government department) it may be necessary to 
contact that individual or organisation to seek their views on the 
disclosure. 


The communication with the consulted organisation should specify 
the documents considered for disclosure, and where necessary we 
may also need to provide a copy of the information considered for 
disclosure. A time frame for the reply should be given to the 
organisation consulted. 


12. Case Advisory Groups 


Where there are concerns as to the extent of the information which 
should be provided in response to the request or the impact of 
disclosure, it may be necessary to call a Case Advisory Group. Case 
advisory groups can be set up where there are concerns about 
whether an exemption is engaged, to ensure that a full public 
interest test is carried out, or where there may be Section 59 DPA 
implications. Arrange the meeting as soon as possible within the 20 
day response period. The composition of the group will depend on 
the nature of the request (DP or FOI) and the nature of the 
information requested. 


A record should be made of any decisions reached by the Case 
Advisory Group and this should be placed on the file on CMEH. 


We may also need to consult with staff internally regarding the 
release of personal information about them. 


13. Responding to a Request 


A checklist has been developed for use by the IGD which is a really 
useful guide. This is attached as an annex to these procedures. 


Responses to requests should be sent as soon as the information is 
available. In some cases it may be possible to respond 
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immediately, upon receipt, in which case it is not necessary to send 
an acknowledgment. 


The information contained within the response will vary according to 
the nature of the request. Generally speaking a response to an 
FOI/EIR request should initially confirm whether or not the 
information requested is held, although there are some exceptions 
to this. 


In cases where information is withheld, a refusal notice should be 
issued. This should set out the exemption/s applied, and the reason 
why it is engaged. It will also be necessary to apply the public 
interest test when certain FOIA exemptions are used. 


As the majority of cases are dealt with on CMEH, make sure that 
there is a record for what information was provided in response to 
the request. Clearly label the copy of un-redacted information in 
case it is subject for future request, internal review or Section 50 
complaint to the Commissioner. Requests handled outside CMEH 
should have a clearly labelled copy of the information provided and 
the unredacted copies of information as appropriate. 


Ensure that you have complied with any reasonable request for a 
particular format, electronic or hardcopy. Where an electronic copy 
is being sent make sure it is sent in pdf format. 


Ensure that the correct review or right of appeal paragraphs are 
included and for an FOIA or EIR request a copy of the review 
procedure is enclosed or attached. 


Ensure that you have checked any attachments or enclosures which 
are being provided in response to the request before sending out 
the response. Where responses are voluminous or sensitive then 
peer checking of the information may be advisable. 


A check of the postal or email address of the requester should be 
made against the original request before sending out the response. 


For case file requests a quick email should be sent to the relevant 
case officer informing them of the outcome of the request. 


14. Responding to requests for reviews 


Create an RCC case and keep it in your name. Acknowledge receipt 
of the request for review as soon as it is received and give the 
latest date by which the requester can expect a response. 
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Copy on to the RCC from the IRQ case copies of: 
e The original request 
The response 
Copies of information provided 
Copies of unredacted information where applicable 
Request for review 
Acknowledgement 


Identify the reviewer and send them an email confirming the case 
reference, a brief outline of the reason a review has been requested 
and confirm the deadline for response. Provide assistance to 
reviewers who require you to send a response through CMEH. 


Make sure that the reviewers are including in their response advice 
to the requester about their right to complain to the Commissioner 
under section 50 of the FOIA. Add the details of the review, the 
outcome and any actions needed to the ‘Information Requests - 
Internal Review’ spreadsheet held on Meridio. 
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Annex 


ICO Information requests - checklist 


ICO Information Request Handling Procedure 


Is the request from an individual for information about their 
case/complaint? If so, generally in the first instance treat it as a 
DPA subject access request, but bear in mind that some 
information in the file may need to be considered for disclosure 
under FOIA or EIR. Policy Delivery is currently developing tools 
to help decide to what extent information held on case files 
should be considered for disclosure under DPA or FOIA/EIR, and 
the relevant guidance will be available shortly. 


Is the information already available through our publication 
scheme? 


Where necessary offer advice and assistance as soon as possible, 
preferably by phone. 


Advice and assistance should be offered if the request is vague or 
framed as a question: 


o Give as much information as possible in normal course of 
business 

o Check whether they still require further information 

o Explain the right to request recorded information 

o Explain what sort of information we might hold 


In every case where advice and assistance is provided: 


o Check we have understood what information they require 

Explain what happens next in considering their request 

o Confirm date of receipt and latest date for response (20 
working days) 


O 


Search for the information. If the search would exceed the cost 
limit contact the applicant as soon as possible to explain this and 
help to reformulate their request. 


If we don't hold any information, contact the applicant to explain 
this (unless we have a policy not to confirm or deny, in which 
case send a refusal notice). Offer advice on who else may hold 
the relevant information. 


If we hold the information, is there a good reason not to disclose 
it? 
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e Has the applicant specified a preferred means of communication? 


e Do we need to consult with a third party (eg employee, 
contractor, stakeholder) before deciding on whether to disclose or 
withhold the information under an exemption? 


If we want to withhold the information, can we provide redacted 
documents? 


Is the request voluminous or sensitive and require peer checking? 


If we withhold or redact any information, issue a refusal notice. 
Include: 


o A confirmation that we hold the information (unless an 
exemption applies to the confirmation itself) 

o The section and subsection of the exemption 

o Why the information falls within the exemption (unless 
explanation would disclose exempt information) 

o If prejudice-based, an explanation of likely prejudice 

o If qualified, set out the public interest arguments for and 
against disclosure 

o If absolute, explain there is no public interest test 
requirement 

o How to request an internal review and how to appeal under 
s50 FOIA 


e Has the requesters address been checked against the original 
request? 
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